For a comprehensive and up to date solution try the Nessus fork OpenVas.org with Nikto as a plugin.

OpenVas is quietly becoming a strong contender.

Id be interested to see how you rate it amongst the other scanners, maybe the next time you do a review you could check them out and give your opinion on it. =)

Please, spare us your worthless drivel. Everyone has different levels of experience in security as well as differences in exposure to tools for the job. Unless you yourself are the a-1, cast iron, supreme being of security and do in fact “know it all” then how about you tone it back, be proffesional, offer constructive criticism and thank the author for his efforts even if his article did not meet your expectations.

You can’t even compare CANVAS,Metasploit with Core Impact, since CANVAS and Metasploit are for automated exploitation [they are frameworks with which great things can be done not ordinary tools].

Core Impact [a tool] automates a whole pen-test from scratch … The agents concept in it and the extendability provided by its python plugins, are cool.

I think Core Impact is a good tool for what you pay. [I have used it personally, it fares well for what it costs]

Btw, exploitation and pen-testng are two entirely different beasts.

I’d opt to vote for metasploit instead of canvas, since it’s free and can do almost anything canvas can do.

There are two types of scanners, if you take a broad classification.
Web scanners, Network Scanners.

Comparing all types of scanners [commerical vs. free,professional tools vs. toys, web vs. net-scanners,etc] in one report is not fair, and the author doesn’t do a comprehensive report here…

I’d say 5 marks can be awarded to this report … ?! perhaps on a scale of 10. It’s a exhaustive process to evaluate “types,commercial/pricings,good,bad things,technical value,business value” that each scanner has to offer and document it.

Cheers :)
Kish

Performs scan AND FULL penetration. Not just tests, it gets into your network and makes it literally cake for all sh*tty diapered skiddies to pwn systems protected by seasoned security experts… Imagine the power… Now imagine the nightmare: $25,000 to license. Nightmare bonus: a “pirated” version will *never* become available, ever. So die skiddies.

Metasploit it shall be then, tastes great, less filling.

Though I think SSS nstalker are not bad tools, they are not truly professional grade tools. First question to be asked is, what is it that you want from vulnerability scanner.

I have been developing vulnerability management program for numerous companies, to my knowledge in terms of a vulnerability scanner nothing has come close to Qualys scanner. Lowest rate of false positives and it truly meets the business goals and objectives. It also looks good from regulatroy compliance perspective.

Don’t get me wrong I have nothing bad to say for any of the tools, but I did not think the review was fully researched.

In regards to metasploit or core impact: They are NOT vulnerability assessment tools. They are penetration testing tools, which you can use to test the posture of your security after you discover vulnerabilities. Yes they do have vulnerability detection engine, however it is not as thorough. Canvas, core impact and metasploit should be used to conduct intrusive testing to validate the posture of your systems, however they are NOT vulnerability assessment tools, they are tools that can be used within vulnerability management program in conjuction with a vulnerability assessment tool such as QUALYS FOUNDSCAN EEYE NESSUS etc.

I also liked Harris Stat Analyzer, although I have not used it in about a year now. If Foundstone would tie in with Nessus as Harris Stat Analyzer did, then Foundstone would be by far the best tool on the market.

I always find it amusing when people state that they like SSS. I think the program sucks.

Not only did the article make this mistake but some of people commenting did as well. I’d be willing to bet that these same people are fuzzy on the differences between risks, exposures, threats, and vulnerabilities as well. We can do better. If we aren’t precise about these concepts then we can’t expect the people we’re trying to help to be.

There are so many errors in this post I don’t know where to begin

Was the point of this test to compare automated WEB vulnerability scanners against full fledged scanners? There is no sense in comparing nikto/whisker/nscan to qualys, langaurd, retina, nessus, etc.

Why would someone even use whisker and nikto in the same bake off? It’s well known that nikto is built off whiskers defunct framework. That’s right, they are the same scanner. Nikto can boast that it has more checks but if you actually had experience with any of these products you would know how out of date nikto is too.

And why would IDS evasion be criteria for a security pro? Shouldn’t your have explicit authorization to perform scans against your devices?

p.s. To the poster above, metasploit isn’t a vulnerability scanner. It’s and exploitation framework.